It's a new year, so I thought I'd let you in on a recent change for me. Over the last month, I've taken on a new role at Alphabet as Director of Security and Privacy for Nest. Security and privacy are critical for Nest’s products and users, and I’m thrilled to have the chance to help Nest build great user experiences and provide a guiding light as the entire IoT industry focuses attention on these issues.

As part of this, I have also handed off Android Security to Dave Kleidermacher and the rest of the Android Security team. This is a big change for me -- Android Security has been one of the most amazing journeys of my life. I have an incredibly long list of people to thank for your effort, commitment, support and investment in Android security over the last 6+ years. I’m looking forward to seeing the advances in Android (and Nest) Security in 2018 and beyond!

Show all 7 comments

Winston Chong: Congratulation and be the best .

Chad Brubaker: Good luck in your new adventures, thanks for everything you did on Android!

Go N: Thanks for your great efforts in Android Enterprise and All the best

Had an awesome time presenting "What's New in Android Security" with +xiaowen xin​ today at Google I/O.

What's New in Android Security (Google I/O '17)

Show all 5 comments

Ron Amadeo: +Adrian Ludwig I loved the talk! Are the slides for this anywhere? I could steal screencaps from the video but 720p doesn't look that great.

Dan Hirsch: Any details about WireX? Have the apps really been downloaded manually? Have all Android versions and Security Patch levels been affected?

Sean Caldwell: Cool Presentation. I am part of a potential startup and our focus is on mobile user authentication. Would you or someone in Google (or its sub companies) be willing to spend 30 minutes to talk to our team in a customer discovery interview?

I’m really excited to see us unveil Google Play Protect [android.com/play-protect] at Google I/O earlier today. As most people who read my G+ page probably already know -- this isn’t entirely a “new” product launch, this is the culmination of years of work defending users and protecting devices against both broad threats and targeted attacks.

The launch of Google Play Protect is about making sure the average consumer or enterprise user understands that Google is really serious about doing everything we can to protect Android users. We’ve built our name and reputation into these protections. And we’re committed to strengthening these protections through the services we provide, the operating system we build, and the work that we do with ecosystem partners to make sure that devices are safe and secure.

Congratulations to all of the engineers, security analysts, product managers (and now marketers!) who have been working for years to make Google Play Protect a reality!

Philipp Grunwald: What is new about this? It seems that all these features already existed previously, except maybe for the GooglePlay Store notification?

Adrian Ludwig: +Philipp Grunwald Under the covers, we're constantly making improvements to Google Play Protect and we do so without a lot of fanfare. The biggest change we talked about today was that a number of places where security checks are taking place (at install, within Google Play, periodically in the background, etc.) will now be exposed to the user. Previously, those checks were completely invisible.

Dominic Battre: I think that's an important change but the audience at the keynote was a bit puzzled why we were telling them.

"Although ransomware has begun to target mobile devices, it’s still rare: Since 2015, less than 0.00001 percent of installations from Google Play, and less than .01 percent of installations from sources other than Google Play, were categorized as ransomware. (That's less than the odds of getting struck by lightning twice in your lifetime!)."

David J Sr: Hello Andrew, David out of Pompano Beach FL 33604. Is there a current cyberattack going on in this location?? Every one of my colleagues and associates Google phone accounts seems to have been compromised. Both android and iphone. Please investigate and get back to me. When contacted, I will give you my university email (.edu) so that I can release more details. Thank you.

Thiagarajan Pillai: I am a school Teacher, I have to pass this message to my students. [ Once again a novice question ] "Is it necessary to install an Antivirus / Internet Security software for Android Phones?"

I'm really excited to see the Android Security Year in Review go out this morning. This reflects the work of a huge number of teams, from across Google and the Android ecosystem. Congratulations and thank you to so many people!

I'm especially excited this year because we're already seeing discussion about some of the more complex stories that are deeper down in the report. (Which means people are actually reading the 70 page report!)

Abhilash Bingi: It'd also be great for security if Google provided security updates for their phones for more than 3 years. My mom uses my old Nexus 4 which is fine for her use, but it doesn't get security updates anymore.

Ryan Ware: I'm glad to see they're at least moving in the right direction! Hopefully they'll actually successfully do it.

Jens H.: +Jérôme Willing From what I've gathered so far, "unlocked" phones were treated differently in the US of A, probably because almost nobody bought them (or could buy them, somewhere I've read it took three months until you could buy an unlocked S7 last year).

Branislav Antic: They just have to. Otherwise, it's not going to last long.

"Chamois was one of the largest PHA families seen on Android to date and distributed through multiple channels. To the best of our knowledge Google is the first to publicly identify and track Chamois."

I posted your Google Cloud Next talk on an Android-related security article on Arstechnica, and a lot of readers were surprised to realize the number of security protections Android offers by default to users.

Hopefully, articles like this help redefine the narrative around Android security.

Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.

Ghost Push has continued to evolve since we began to track it. As we explained in last year's Android Security report [https://goo.gl/yrSqAG], in 2015 alone, we found more than 40,000 apps associated with Ghost Push. Our actions have continued at this increasingly large scale: our systems now detect and prevent installation of over 150,000 variants of Ghost Push.

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point [https://www.checkpoint.com/], a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. This morning, Check Point detailed those findings on their blog.

As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we've taken so far.

Findings

- No evidence of user data access: In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant. - No evidence of targeting: We used automated tools to evaluate whether specific users or groups of users were targeted. We found no evidence of targeting of specific users or enterprises, and less than 0.1% of affected accounts were GSuite customers. Ghost Push is opportunistically installing apps on older devices. - Device integrity-checks can help: We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [https://source.android.com/security/verifiedboot/], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push. - Device updates can help: Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected. Also, if a system image is available (such as those we provide for Nexus and Pixel devices[https://developers.google.com/android/images]) a reinstall of the system software can completely remove the malware.

Actions

- Strengthening Android ecosystem security: We’ve deployed Verify Apps [https://goo.gl/9rqdiH] improvements to protect users from these apps in the future. Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations. - Removing apps from Play: We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future. Downloading apps from Google Play, rather than from unknown sources [https://goo.gl/9rqdiH], is a good practice and will help reduce the threat of installing one of these malicious apps in the future. - Protecting Google Accounts: We revoked affected users’ Google Account tokens and provided simple instructions so they can sign back in securely. We have already contacted all users that we know are affected. - Teaming-up with Internet service providers: We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.

Recap

We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.

This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe.

Show all 59 comments

David J Sr: Hello Andrew, David out of Pompano Beach FL 33604. Is there a current cyberattack going on in this location?? Every one of my colleagues and associates Google phone accounts seems to have been compromised. Both android and iphone. Please investigate and get back to me. When contacted, I will give you my university email (.edu) so that I can release more details. Thank you.

Steve Nordquist: The good news is that his university has no computer science division or i.t. department, the bad that their ground owl breeding inventions have a memory leak and owls are roosting in walls, roofs and ceilings...